BE - Require group version pin to be exact, and enforce match with the project version

When a flow is created on the group level we should make it pinned to an exact version (e.g. v1.2.3). Then when the flow is added to a project we should use the same version.

This is to prevent a newer possibly malicious version being released and added to a project which would use the group level service account. The group owner should sign off on this before it's allowed to run group wide.